Merge remote-tracking branch 'upstream/master'

2014-07-30 16:02:09 -04:00 · 2014-07-30 16:02:09 -04:00 · 898195e1da
commit 898195e1da
parent 8ea0d19d2f 465318b352
2 changed files with 10 additions and 1 deletions
--- a/audit/api/src/main/java/org/keycloak/audit/Errors.java
+++ b/audit/api/src/main/java/org/keycloak/audit/Errors.java
@ -10,6 +10,7 @@ public interface Errors {
    String CLIENT_NOT_FOUND = "client_not_found";
    String CLIENT_DISABLED = "client_disabled";
    String INVALID_CLIENT_CREDENTIALS = "invalid_client_credentials";
+    String INVALID_CLIENT = "invalid_client";

    String USER_NOT_FOUND = "user_not_found";
    String USER_DISABLED = "user_disabled";
--- a/services/src/main/java/org/keycloak/services/resources/TokenService.java
+++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java
@ -761,8 +761,16 @@ public class TokenService {
            throw new BadRequestException("Client is not enabled", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
        }

+        if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
+            Map<String, String> error = new HashMap<String, String>();
+            error.put(OAuth2Constants.ERROR, "invalid_client");
+            error.put(OAuth2Constants.ERROR_DESCRIPTION, "Bearer-only not allowed");
+            audit.error(Errors.INVALID_CLIENT);
+            throw new BadRequestException("Bearer-only not allowed", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
+        }
+
        if (!client.isPublicClient()) {
-            if (!client.validateSecret(clientSecret)) {
+            if (clientSecret == null || !client.validateSecret(clientSecret)) {
                Map<String, String> error = new HashMap<String, String>();
                error.put(OAuth2Constants.ERROR, "unauthorized_client");
                audit.error(Errors.INVALID_CLIENT_CREDENTIALS);